Cisco Cisco Web Security Appliance S170 사용자 가이드
5-12
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 5 Web Proxy Services
Bypassing the Web Proxy
•
Prevent the Web Proxy from interfering with non-HTTP-compliant (or proprietary) protocols using
HTTP ports that do not work properly when they connect to a proxy server.
HTTP ports that do not work properly when they connect to a proxy server.
•
Ensure that traffic from a particular machine inside the network, such as a malware test machine,
bypasses the Web Proxy and all its built-in security protection.
bypasses the Web Proxy and all its built-in security protection.
Define the proxy bypass list on the Web Security Manager > Bypass Settings page.
shows a sample proxy bypass list.
Figure 5-1
Proxy Bypass List
To include an address in the proxy bypass list, click Edit Proxy Bypass Settings. You can enter multiple
addresses separated by line breaks or commas. You can enter addresses using any of the following
formats:
addresses separated by line breaks or commas. You can enter addresses using any of the following
formats:
•
IP address, such as 10.1.1.0
•
CIDR address, such as 10.1.1.0/24
•
Hostname, such as crm.example.com
•
domain names, such as example.com
Note
For the proxy bypass list to work with domain names, you need to connect the T1 and T2 network
interfaces to the network even if you do not enable the L4 Traffic Monitor. For more information, see
interfaces to the network even if you do not enable the L4 Traffic Monitor. For more information, see
.
When transactions bypass the Web Proxy, AsyncOS for Web records them in the proxy bypass logs. For
more information about logging, see
more information about logging, see
Note
If the proxy bypass list contains an address that is a known malware address according to the L4 Traffic
Monitor and the L4 Traffic Monitor sees a request for that address, then the request will still be blocked
by the L4 Traffic Monitor. If you want to ensure traffic to that address is always allowed, you must also
bypass the address from the L4 Traffic Monitor. For more information, see
Monitor and the L4 Traffic Monitor sees a request for that address, then the request will still be blocked
by the L4 Traffic Monitor. If you want to ensure traffic to that address is always allowed, you must also
bypass the address from the L4 Traffic Monitor. For more information, see
Understanding How the Proxy Bypass List Works
When the Web Proxy receives an HTTP or HTTPS request, it checks both the source and destination IP
address to see if it is in the proxy bypass list. If it is, the packet is sent to the next hop on the network.
(In some cases, the packet is sent back to the transparent redirection device that redirected the packet, if
the packet arrived on a WCCP service using GRE.)
address to see if it is in the proxy bypass list. If it is, the packet is sent to the next hop on the network.
(In some cases, the packet is sent back to the transparent redirection device that redirected the packet, if
the packet arrived on a WCCP service using GRE.)
The proxy bypass list works by matching the IP addresses of the request to an IP address in the proxy
bypass list. When names are entered in the bypass list, the Web Proxy must resolve them to an IP address
using DNS. The Web Proxy DNS resolves hostnames differently than domain names:
bypass list. When names are entered in the bypass list, the Web Proxy must resolve them to an IP address
using DNS. The Web Proxy DNS resolves hostnames differently than domain names: